integer overflow check
Julien Cristau
jcristau at debian.org
Mon Dec 15 14:49:06 PST 2014
On Mon, Dec 15, 2014 at 17:56:56 +0100, jes at posteo.de wrote:
> diff --git a/hw/xfree86/dri2/dri2ext.c b/hw/xfree86/dri2/dri2ext.c
> index 221ec53..63191dc 100644
> --- a/hw/xfree86/dri2/dri2ext.c
> +++ b/hw/xfree86/dri2/dri2ext.c
> @@ -269,10 +269,11 @@ ProcDRI2GetBuffers(ClientPtr client)
> int status, width, height, count;
> unsigned int *attachments;
>
> - REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4);
> if (stuff->count > (INT_MAX / 4))
> return BadLength;
>
> + REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4);
> +
> if (!validDrawable(client, stuff->drawable, DixReadAccess |
> DixWriteAccess,
> &pDrawable, &status))
> return status;
As far as I can tell you're now reading stuff->count before checking
whether it's inside the request buffer?
Cheers,
Julien
More information about the xorg-devel
mailing list